secrets for mediawiki and formatting

2022-09-06 17:16:31 +02:00 · 2022-09-06 17:16:31 +02:00 · 87bd442eed
commit 87bd442eed
parent 7131ba8691
18 changed files with 255 additions and 234 deletions
--- a/modules/base.nix
+++ b/modules/base.nix
@ -4,7 +4,7 @@
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
-  };  
+  };

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
--- a/modules/desktop.nix
+++ b/modules/desktop.nix
@ -1,28 +1,29 @@
 { pkgs, lib, config, office_stuff, ... }:

-let 
+let

-extra_office_packages = (lib.ifEnable config.fsr.enable_office_bloat (with pkgs; [
-  vlc 
-  libreoffice-fresh
-  okular
-  texlive.combined.scheme-full
-]));
+  extra_office_packages = (lib.ifEnable config.fsr.enable_office_bloat (with pkgs; [
+    vlc
+    libreoffice-fresh
+    okular
+    texlive.combined.scheme-full
+  ]));


-in {
+in
+{
  # enable XFCE as lightweight desktop environment
  services = {
-  	xserver.enable = true;
-	xserver.desktopManager.xfce.enable = true;
-  	xserver.displayManager.defaultSession = "xfce";
+    xserver.enable = true;
+    xserver.desktopManager.xfce.enable = true;
+    xserver.displayManager.defaultSession = "xfce";

-  	# Configure keymap in X11
-  	xserver.layout = "de";
-  	xserver.xkbOptions = "eurosign:e,ctrl:nocaps,compose:prsc";
+    # Configure keymap in X11
+    xserver.layout = "de";
+    xserver.xkbOptions = "eurosign:e,ctrl:nocaps,compose:prsc";

-  	# enable touchpad support
-  	xserver.libinput.enable = true;
+    # enable touchpad support
+    xserver.libinput.enable = true;
  };
  # enable sound
  sound.enable = true;
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -1,7 +1,8 @@
 { config, pkgs, lib, ... }:
-let 
+let
  domain = "pad.quitte.tassilo-tanneberger.de";
-in {
+in
+{
  services = {
    postgresql = {
      enable = true;
--- a/modules/infoscreen.nix
+++ b/modules/infoscreen.nix
@ -1,8 +1,9 @@
-{ pkgs, lib, config, ...}:
+{ pkgs, lib, config, ... }:
 let
  fsr-infoscreen = pkgs.fsr-infoscreen;

-in {
+in
+{

  systemd = {
    services."fsr-infoscreen" = {
@ -13,16 +14,16 @@ in {
      '';

      serviceConfig = {
-          User = "infoscreen";
-          Restart = "on-failure";
-        };
+        User = "infoscreen";
+        Restart = "on-failure";
      };
    };
+  };

-    users.users.infoscreen = {
-      name = "infoscreen";
-      description = "custom user for service infoscreen service";
-      isNormalUser = true;
-    };
+  users.users.infoscreen = {
+    name = "infoscreen";
+    description = "custom user for service infoscreen service";
+    isNormalUser = true;
+  };

 }
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@ -1,5 +1,5 @@
-{pkgs, config, lib, ...}: {
-  
+{ pkgs, config, lib, ... }: {
+
  sops.secrets.postgres_keycloak = {
    owner = config.systemd.services.keycloak.serviceConfig.User;
    group = "keycloak";
@ -24,8 +24,8 @@
        hostname = "keycloak.quitte.tassilo-tanneberger.de";
        http-host = "127.0.0.1";
        http-port = 8000;
-	https-port = 8001;
-	proxy = "edge";
+        https-port = 8001;
+        proxy = "edge";
      };

      database = {
@ -34,30 +34,31 @@
        passwordFile = config.sops.secrets.postgres_keycloak.path;
        name = "keycloak";
        host = "localhost";
-	createLocally = true;
+        createLocally = true;
      };
    };
    postgresql = {
      enable = true;
    };
    nginx = {
-	enable = true;
-      	recommendedProxySettings = true;
-      	virtualHosts = {
-	  "${config.services.keycloak.settings.hostname}" = {
-	    enableACME = true;
-	    forceSSL = true;
-	    http2 = true;
-	    locations = {
-	      "/" = 
-		let
-		  cfg = config.services.keycloak.settings;	
-		in {
- 		proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
-	      };
-	    };
-	 };
-       };
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "${config.services.keycloak.settings.hostname}" = {
+          enableACME = true;
+          forceSSL = true;
+          http2 = true;
+          locations = {
+            "/" =
+              let
+                cfg = config.services.keycloak.settings;
+              in
+              {
+                proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
+              };
+          };
+        };
+      };
    };
  };
 }
--- a/modules/options.nix
+++ b/modules/options.nix
@ -1,4 +1,4 @@
-{config, lib, ...}: with lib; {
+{ config, lib, ... }: with lib; {
  options.fsr.enable_office_bloat = mkOption {
    type = types.bool;
    default = false;
--- a/modules/printing.nix
+++ b/modules/printing.nix
@ -2,7 +2,7 @@

 {
  # Enable CUPS to print documents.
-  services= {
+  services = {
    printing.enable = true;
    printing.drivers = with pkgs; [
      gutenprint
@ -18,19 +18,19 @@
  ];
  # set up Heiko
  hardware.printers.ensurePrinters = [
-     {
-       description = "Drucker im FSR Buero";
-       deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
-       location = "FSR Buero";
-       model = "Kyocera ECOSYS M6630cidn KPDL";
-       name = "Heiko";
-     }
-     {
-       description = "Drucker im FSR Buero";
-       deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
-       location = "FSR Buero";
-       model = "Kyocera ECOSYS M6630cidn KPDL";
-       name = "Heiko";
-     }
+    {
+      description = "Drucker im FSR Buero";
+      deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
+      location = "FSR Buero";
+      model = "Kyocera ECOSYS M6630cidn KPDL";
+      name = "Heiko";
+    }
+    {
+      description = "Drucker im FSR Buero";
+      deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
+      location = "FSR Buero";
+      model = "Kyocera ECOSYS M6630cidn KPDL";
+      name = "Heiko";
+    }
  ];
 }
--- a/modules/wifi.nix
+++ b/modules/wifi.nix
@ -3,10 +3,11 @@
 # https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/wlan-eduroam
 # https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos
 #
-{ pkgs, config, ... }: 
-let  
+{ pkgs, config, ... }:
+let
  password = "$(${pkgs.coreutils}/bin/cat /run/secrets/fsr_wifi_psk)";
-in {
+in
+{
  networking = {
    wireless = {
      enable = true;
--- a/modules/wiki.nix
+++ b/modules/wiki.nix
@ -1,40 +1,42 @@
 { config, pkgs, lib, ... }:
 {
-    sops.secrets.postgres_mediawiki.owner = config.systemd.services.mediawiki.serviceConfig.User;
-    services = {
-        mediawiki = {
-            enable = true;
-            name = "FSR Wiki";
-            database = {
-                user = "mediawiki";
-                type = "postgres";
-                socket = "/var/run/postgresql";
-                port = 5432;
-                name = "mediawiki";
-                host = "localhost";
-                passwordFile = config.sops.secrets.postgres_mediawiki.path;
-                createLocally = true;
-            };
-            virtualHost = {
-                hostName = "wiki.quitte.tassilo-tanneberger.de";
-                adminAddr = "root@ifsr.de";
-                forceSSL = true;
-                enableACME = true;
-            };
-        };
-        postgres = {
-            enable = true;
-        };
+  sops.secrets.postgres_mediawiki.owner = config.systemd.services.mediawiki.serviceConfig.User;
+  sops.secrets.mediawiki_initial_admin.owner = config.systemd.services.mediawiki.serviceConfig.User;
+  services = {
+    mediawiki = {
+      enable = true;
+      name = "FSR Wiki";
+      passwordFile = config.sops.secrets.mediawiki_initial_admin.path;
+      database = {
+        user = "mediawiki";
+        type = "postgres";
+        socket = "/var/run/postgresql";
+        port = 5432;
+        name = "mediawiki";
+        host = "localhost";
+        passwordFile = config.sops.secrets.postgres_mediawiki.path;
+        createLocally = false;
+      };
+      virtualHost = {
+        hostName = "wiki.quitte.tassilo-tanneberger.de";
+        adminAddr = "root@ifsr.de";
+        forceSSL = true;
+        enableACME = true;
+      };
    };
-    systemd.services.mediawiki-pgsetup = {
-        description = "Prepare Mediawiki postgres database";
-        wantedBy = [ "multi-user.target" ];
-        after = [ "networking.target" "postgresql.service" ];
-        serviceConfig.Type = "oneshot";
+    postgresql = {
+      enable = true;
+    };
+  };
+  systemd.services.mediawiki-pgsetup = {
+    description = "Prepare Mediawiki postgres database";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "networking.target" "postgresql.service" ];
+    serviceConfig.Type = "oneshot";

-        path = [ pkgs.sudo config.services.postgresql.package ];
-        script = ''
-        sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE mediawiki WITH PASSWORD '$(cat ${config.sops.secrets.postgres_mediawiki.path})'"
-        '';
-    };
-}
+    path = [ pkgs.sudo config.services.postgresql.package ];
+    script = ''
+      sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE mediawiki WITH PASSWORD '$(cat ${config.sops.secrets.postgres_mediawiki.path})'"
+    '';
+  };
+}